Set up Device Access SCEP certificates

You can set up Device Access Simple Certificate Enrollment Protocol (SCEP) certificates for macOS. These certificates deploy with your mobile device management (MDM) software, and are used to grant access to specific API endpoints and to identify the device making the calls. Certificates set up for Device Access aren't used to attest the management status of a device. See Configure a Certificate Authority for more information about management attestation.

On this page

Configure Okta as a CA for Device Access

There are three different ways that you can configure Okta as a Certificate Authority (CA) for Device Access:

  1. Okta as a CA with static SCEP.

  2. Okta as a CA with dynamic SCEP.

  3. Okta as a CA with delegated SCEP.

The configuration of each certificate follows the same processes as configuring Okta as a CA for device management. While following the appropriate process for your org, make the following two two minor changes to allow the CA to be used specifically for Device Access:

  1. In the Okta Admin Console, open SecurityDevice Integrations and click the Device Access tab instead of the Endpoint management tab.

  2. When creating the SCEP profile in Jamf Pro, set the Level of the SCEP profile to Computer Level instead of User Level.

Follow the appropriate process for your org and operating systems:

  1. Configure Okta as a CA with static SCEP challenge for macOS using Jamf Pro

  2. Configure Okta as a CA with dynamic SCEP challenge for macOS using Jamf Pro

  3. Configure Okta as a CA with delegated SCEP challenge for macOS using MEM (formally Intune)

Click the Device Access tab to configure the Certificate Authority for Device Access., and remember to set the SCEP profile to Computer Level in your MDM.

Use your own Certificate Authority for Device Access

You can use your own Certificate Authority for Device Access.

  1. Sign in to the Admin Console.

  2. Go to Security Device Integrations and then click the Certificate Authority tab.

  3. Click Add certificate authority.

  4. Select the Device Access radio button.

  5. Click Browse files and then select the appropriate certificate file to upload. Okta uploads certificates automatically, and a message appears if the upload was successful. To view details about the certificate, click View root certificate chain details.

  6. Click Save.

Using your own Certificate Authority for Device Access follows the same process as using your own CA for device management. Follow the process outlined in Use your own certificate authority for managed devices. Make note of the three minor changes required that allow the CA to be used specifically for Device Access:

  1. Before uploading the certificate to Okta in the Admin Console, select the Device Access radio button.

  2. In your MDM, ensure that the certificate is deployed at the Computer Level.

  3. You can skip the steps that discuss Endpoint management.

After the certificate is uploaded, add a custom certificate extension on issued client certificates on SCEP to ensure that Device Access can locate and select the correct certificate. Add the following values to the certificate extension:

  • Extension OID: 1.3.6.1.4.1.51150.13.1

  • Extension value: 1 (integer)

The format of the certificate extension varies depending on your CA provider. Refer to your provider's documentation for the appropriate format to use. As an example, the custom extension certificate profile for DigiCert would be as follows:

Copy
  {
"oid": "1.3.6.1.4.1.51150.13.1",
"critical": true,
"template": {
"type": "INTEGER",
"value": "1"
}
}

If you configured Okta as the CA for Device Access, Okta completes this step for you.

Verify the certificate deployment

After the CA is set up and the certificates deployed, verify that the certificates have been deployed to your org's desktop devices as expected.

  1. On a macOS device that's managed by Jamf Pro, open System Preferences Profiles.

  2. Click Keychain and then click Login.

  3. Verify that a client certificate and associated private key exists.

  4. Verify that a custom extension with OID 1.3.6.1.4.1.51150.13.1 is present on the client certificate.

If you're unable to verify that the certificate was deployed with the required settings, go over the steps again and ensure that Device Access was selected in the Okta Admin Console and that the certificates were set at computer level in your MDM.

Related topics

Configure a Certificate Authority

Client certificates

Management attestation FAQ

Desktop MFA for Windows

Desktop MFA for macOS

Desktop Password Sync for macOS